Post

Day-25 osTicket and ELK integration

Posted Updated
By Cyberpengunine__
2 min read

day-25-cover

Today, we’re wrapping up our environment setup for SOC investigations. We’ll integrate osTicket with ELK. Let’s start the instances, log into osTicket’s Admin Panel, and get started.

home-page.png

Click on Manage option.

manage.png

You’ll see the API option there. Click on it, and then click on ‘Add New API Key’.

api.png

To create an API, we’ll need the private IP address of our ELK instance. You can find this by going to Settings > VPC 2.0 and copying the IP address.

private-ip.png

Paste the IP address in the IP address field, check the box that says ‘Can create ticket,’ provide a description, and click ‘Add key’.

add-key.png

In Manage tab you’ll see the API key generated.

api-key.png

Now, log in to Elastic with your credentials. From the hamburger menu icon, navigate to the Management section and select Stack Management.

stack-manage.png

To access all the options under ‘Create Connector’ in the ‘Alerts and Insights’ section, you’ll need to start a 30-day free trial. Click on ‘Manage License’ to begin the trial.

connectors.png

manage-license.png

Next, go to Connectors. To create a new connector, we’ll use a webhook, which will send requests to a web service.

webhook.png

Let’s get started! First, give your connector a name. Then, use a POST request with the correct URL for your OSticket instance. For now, we’ll skip authentication. Next, add an HTTP header and include your API key.

webhook-detail.png

Remember to save your configuration after making any changes. The changes won’t take effect automatically unless you save them.

save&test.png

Next up, we’ll need an XML payload for the body. Head over to the osTicket GitHub page to grab a pre-made XML body. Copy and paste it into the body field, and feel free to change the subject if you want. Keep everything else the same unless you have a reason to change it.

xml-payload-github.png

test-fail.png

Our test failed with a bad request. Let’s figure out what went wrong. First, let’s try pinging our OSticket server using its private IP from the ELK server to see if it’s accessible.

ticket-private-ip.png

host-unrecheable.png

Looks like we’re having some connectivity issues. We can’t access it from the ELK server. Let’s head over to the OSticket server to troubleshoot. You can find the OSticket server’s IP address using the ipconfig command.

no-private-ip.png

We see our public IP address, but the private IP is missing. Let’s change that private IP from the Control Panel. Head to Network and Internet, then click on ‘Change adapter settings.

network.png

adapter-settings.png

Identify the network adapter you want to change, excluding any with public IP addresses. Modify the adapter’s IP address to match the private IP of your OSticket server, and then save the changes.

change-private-ip.png

Confirm by running the ipconfig command again.

configrm-ip.png

As shown in the screenshot, the private IP address has been updated, and we can successfully ping it from the ELK server.

can-ping-private-ip.png

Let’s modify the IP address in the POST URL of the connector and then rerun the test after saving the changes.

change-ip-inconnector.png

test-success.png

Success! The integration was a breeze. Head over to the OSticket Agent Panel to see the newly created ticket with the subject name we updated in the XML payload body. It’s a small victory, but it’s a step in the right direction!

ticket-created.png

We’ve successfully completed our environment setup. Stay tuned for more!

MYDFIR 30Day SOC_Challenge
soc_challenge soc cybersecurity day25of30
This post is licensed under CC BY 4.0 by the author.